Pharmacists have a range of responsibilities including reviewing prescriptions, educating individuals about medication use and side effects, and acting as a last line of defence to ensure that multiple medications do not interact with one another. In order to provide these services, pharmacists collect a significant amount of personal health information and are regulated by the Personal Health Information and Privacy Act (PHIPA) in Ontario and the Health Information Act in PEI. So, when a pharmacy’s systems are breached (for instance by way of a hack, a social engineering scam, or unauthorized access), the pharmacy is required to notify affected individuals and report the breach to the Privacy Commissioner to comply with the legislation. This is exactly what happened in a recent privacy investigation against a pharmacy in Prince Edward Island.
A breach notification indicated that in late August 2017, two employees at a pharmacy accessed the personal health information of their former co-worker using the Drug Information System (DIS). The DIS is a provincial database of medication profiles for residents of PEI used by pharmacies to assist with patient care. The Privacy Commissioner conducted an investigation and determined that although one employee had inappropriately accessed the electronic records, the personal health information was not disclosed to other unauthorized individuals.
While the pharmacist did not witness the incident, a staff member reported that in August 2017, two employees accessed the personal health information of the Affected Individual using the DIS and disclosed the information at the work site. In response, the pharmacist spoke to the employees who acknowledged that they had accessed the information without authorization; however, they blamed each other – classic he said she said.
In November 2017, the pharmacist verbally notified the Affected Individual (and former co-worker) of the incident. The pharmacist sent an email to the manager of the pharmacy about this discussion and presumed that the manager was already aware of the incident. The manager advised that they were unaware of the incident. The manager conducted an investigation where one employee admitted the unauthorized access but the other did not. In December 2017, the Pharmacy notified the Commissioner of the incident, four months post-incident.
The Commissioner’s Investigation
When the Commissioner conducted its own investigation, the employees were invited to participate. One employee admitted to the unauthorized access and expressed remorse for the “momentary lapse in judgment.” The second employee denied that they had ever accessed the Affected Individual’s information in the DIS. Neither employee recalled speaking with the pharmacist. The Commissioner attributed the discrepancies to the passage of time and the possibility that the information at issue may have been obtained by other legitimate means.
Based on a DIS audit, the conclusions made by the pharmacy, and the information provided to the Commissioner, it was determined that (1) the first employee inappropriately accessed the personal health information of the Affected Individual; (2) there was insufficient evidence that the second employee accessed the information; and, (3) there was insufficient evidence that either employee disclosed personal health information of the Affected Individual.
Policies, Procedures, and Breach Response
The Commissioner found that at the material time, the pharmacy did not have reasonable information practices in place to identify and prevent privacy breaches. The organization did not have unique User IDs for all those who access the DIS. The organization also did not have staff training and/or educational resources regarding privacy issues. Since the breach, the pharmacy implemented the use of new software and conducted privacy training for employees. They also established reasonable prevention and detection tools.
With respect to the breach response, the Commissioner concluded that the pharmacy took reasonable steps to contain and investigate the breach. However, the pharmacy did not notify the Affected Individual or the Commissioner of the breach within a reasonable time period, as required by law. The late notification appeared to be because of a mistaken belief that the manager was aware of the incident. This demonstrated a lack of procedure by the pharmacy relating to breach notification. Additionally, the pharmacy ought to have followed up with the Affected Individual once the investigation was complete and implemented a clear breach management procedure.
The Commissioner made recommendations for the adoption of privacy breach management procedures, which should include designating a staff member that all employees report to in the event of a suspected privacy breach. The Commissioner also recommended establishing a clear internal process to follow if a privacy breach is discovered. The latter would include reasonable guidelines for notification, containment, investigation and remediation.
If an organization collects, uses, and/or discloses personal health information, it is subject to PHIPA, or an equivalent privacy legislation for the province. This legislation requires a health information custodian to notify all affected individuals of a privacy breach and report same to the Privacy Commissioner. In order to comply with the notification and reporting requirements, the organization must implement policies and procedures to identify such breaches and properly respond.
It is recommended that organizations assign a Privacy Officer to whom other employees can report actual or suspected breaches. Identifying breaches requires the organization to train and educate their employees regarding their obligations related to the proper handling of private health information. Finally, organizations must prepare breach response plans that will be followed in the event of a breach. This would include containment of a breach, timely notification and reporting of a breach, as well as proper follow-up. Not only is this required by law, it is also a great risk management mechanism that aids in lowering investigation costs, fines, and litigation exposure.
Remember, failing to plan is planning to fail.
See Community pharmacy (Re), 2019 CanLII 71193 (PE IPC)
Once the target of an unsuccessful phishing scam, Stas is a key part of SBA’s cyber liability and privacy group providing services ranging from assessments and prevention to crisis response.